Re: [xri] XRD trusted discovery workflow

[Dirk Balfanz <balfanz@google.com>]

On Thu, Dec 11, 2008 at 8:06 AM, Brian Eaton <beaton@google.com> wrote:

On Thu, Dec 11, 2008 at 12:05 AM, Dirk Balfanz <balfanz@google.com> wrote:
> I think a URI needs a <Service> context - it seems to me a resource map
> doesn't.
> The current proposal on the wiki says that a resource map is inside a
> service element of type "e-mail to URL translation". We could make that more
> generic, and call it "URI to URI translation", at which point it's saying
> the same thing as URIMap. To me it seems that the following three examples
> all mean the same thing:
> [ my proposal: ]
> <XRD>
>   <URIMap>http://target.com/uri={URI}</URIMap>
> </XRD>

I have two objections to this.

1) What if I want to delegate XRD serving for different services to
different providers?  For example, what if I want PoCo endpoints for
my users served over on poco.example.com, but OpenID endpoints served
over at openid.example.com?  I need a service type field to
distinguish.

Sure. So the first XRD would look like this:

<XRD>
 <URIMap>http://target.com/xrd?uri={URI}</URIMap>
 [...perhaps some other stuff here...]
</XRD>
 
When you hit that XRD with your URI, say email:bob@target.com, or http://bob.target.com, you see the URIMap and thus go to http://target.com/xrd?uri=http://bob.target.com, which returns an XRD that looks like this:

<XRD>
  <Service>
    <Type>http://poco</Type>
    <URI>http://target.com/poco?user=bob</URI>
  </Service>
  <Service>
    <Type>http://openid</Type>
    <URI>http://target.com/openid?id=bob.target.com</URI>
  </Service>
</XRD>

Voila. :-)

2) What if the target on the URIMap is under a different authority,
e.g. http://example.com uses a URIMap to indicate that XRDs will be
served over on http://target.com.  (XRD hosting as a service).  The
target.com server will not be able to sign documents with the
example.com key.  It's really important that we be able to delegate
authority at or before a URIMap.

Ok, so something like:

<XRD>
  <URIMap template="http://target.com/xrd?uri={URI}">
    <Delegation>
      <ds:KeyName>...</ds:KeyName>
    </Delegation>
  </URIMap>
 </XRD>

Although at this point I have to admit that this is not much simpler than

<XRD>
  <Service>
    <Type>http://specs.xri.org/uri-to-uri-mapping</Type>
    <URI>"http://target.com/xrd?uri={URI}"</URI>
    <Delegation>
      <ds:KeyName>...</ds:KeyName>
    </Delegation>
  <Service>
 </XRD>

So that seems fine with me, too.

I do think that something like

<Service>
  <Type>uri-to-uri-map</Type>
  <URIMap>...</URIMap>
</Service>

doesn't make much sense b/c both the <Type> element _and_ the <URIMap> element say that this is a URI map. We don't need to say it twice.

 

OK, I guess I have a third objection, counting has never been my
strong suit.  If you accept that we need to be able to delegate
authority at or before a URIMap, and you accept that we might want to
do limited (by service) delegation of authority, it's important that
Delegation be limited to a particular type.

You can do that, too: You don't change the authority going through the URI Map, and then you change the authority after that, with different authorities for different types.

Dirk.